Products
OpenShift
Source
secalert@redhat.com
Tags
CVE-2024-7387 details
Published : Sept. 17, 2024, 12:15 a.m.
Last Modified : Sept. 17, 2024, 12:15 a.m.
Last Modified : Sept. 17, 2024, 12:15 a.m.
Description
A flaw was found in openshift/builder. This vulnerability allows command injection via path traversal, where a malicious user can execute arbitrary commands on the OpenShift node running the builder container. When using the “Docker” strategy, executable files inside the privileged build container can be overridden using the `spec.source.secrets.secret.destinationDir` attribute of the `BuildConfig` definition. An attacker running code in a privileged container could escalate their permissions on the node running the container.
CVSS Score
| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9.1 | 10 |
|---|
Weakness
| Weakness | Name | Description |
|---|---|---|
| CWE-250 | Execution with Unnecessary Privileges | The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses. |
CVSS Data
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
Base Score
9.1
Exploitability Score
2.3
Impact Score
6.0
Base Severity
CRITICAL
Vector String : CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
References
| URL | Source |
|---|---|
| https://access.redhat.com/security/cve/CVE-2024-7387 | secalert@redhat.com |
| https://bugzilla.redhat.com/show_bug.cgi?id=2302259 | secalert@redhat.com |
This website uses the NVD API, but is not approved or certified by it.